Document Actions
Incident Handling Process
last modified
2008-03-07 08:36
Here is information about the operations involved in incident handling by the Rutgers University Computing Incident Response Team (RU CIRT) and how they are carried out.
Sources of Incident Reports
- Email to abuse@rutgers.edu
- Results of network log analysis
- Results of network vulnerability scans
- Telephone reports
- In person reports
Actionable Incidents
- The Rutgers University CIRT handles incidents in which a Rutgers host (or users) cause computer or network problems. More specifically, this includes:
- Violations of the University Code of Student Conduct
- Violations of the Acceptable Use Policy for Computing and Information Technology Resources . See also
-
Violations of federal, state or local law. See IT Laws and Policies.
-
Reports from departmental staff of attacks on their computers and subnets (experimental).
Issue Escalation and Overdue Tickets
- IPS - Abuse - Incidents queue is normal priority. After 5 business days (generally 1 calendar week), the Administrative Contact is notified that the ticket is overdue, and the ticket enters the IPS - Abuse - Incidents - Escalated queue. After 5 more business days, a request is sent to the Network Operations Center to block the host. A ticket can also be escalated if more than 5 reports are received for the same host.
- IPS - Abuse - Incidents - Critical queue is critical priority. After 1 business day, the Administrative Contact is notified that the ticket is overdue. After 1 more business day, a request is sent to the Network Operations Center to block the host. The Director of Information Protection is routinely notified of incidents in the IPS - Abuse - Incidents - Critical queue. A ticket is entered in the IPS - Abuse - Incidents - Critical queue if the host is on the critical hosts list (GLBA, PCI and SEVIS compliance responsibilities) or if exposure of Non-Public Personal Information is involved in the incident.
Record Retention
- Three years for email to abuse@rutgers.edu
- Three years for hardcopy files related to computer incidents.
Note: HDRT tickets are retained for statistical purposes. They contain summary information such as incident type, IP address, department, and network liason. Tickets may also contain copies of email messages reporting incidents.